DPDP Act 2023
India's principal data protection law enacted in August 2023, governing all processing of personal data of Indian residents.
Filing window
Compliance obligations come into force on dates notified by MeitY; phased rollout expected through 2025-26
Regulator
Data Protection Board of India (DPBI)
Regulator
Data Protection Board of India (DPBI)
Deadline
Compliance obligations come into force on dates notified by MeitY; phased rollout expected through 2025-26
Penalty
Tiered penalties up to INR 250 crore per instance: INR 200 c...
Legal basis
Digital Personal Data Protection Act, 2023 (No. 22 of 2023)
What is DPDP Act 2023?
The Digital Personal Data Protection Act, 2023 (DPDP Act) is India's first comprehensive personal data protection legislation, enacted on 11 August 2023. The Act establishes obligations for any entity (called a Data Fiduciary) that determines the purpose and means of processing personal data of Indian residents (Data Principals), regardless of whether the processing happens inside or outside India. Implementation is being phased in through DPDP Rules notified by the Ministry of Electronics and Information Technology.
Key obligations include obtaining specific, informed, free consent before processing; providing a notice in clear language at the time of collection; appointing a Data Protection Officer for Significant Data Fiduciaries; conducting Data Protection Impact Assessments for high-risk processing; reporting personal data breaches to the Data Protection Board; and enabling Data Principal rights including access, correction, erasure, and grievance redressal. Cross-border data transfers are permitted to any country except those notified by Central Government as restricted.
- +Any entity processing personal data of Indian residents, regardless of where processing occurs
- +Indian subsidiaries of foreign parents
- +Foreign companies offering goods or services to Indian residents
- +Healthcare GCCs handling patient data
- +Fintech and BFSI GCCs processing customer data
- +EdTech GCCs handling student data
Statutory basis
Digital Personal Data Protection Act, 2023 (No. 22 of 2023)
Rule reference
DPDP Rules notified by MeitY
Notification
MeitY notifications and Data Protection Board orders
Enforced by
Data Protection Board of India (DPBI), constituted under the DPDP Act; MeitY for policy
Citations are editorially curated. Always verify current applicability with qualified Indian counsel before acting on a specific matter.
The stake
Filing window for DPDP Act 2023. Skipping or mishandling this compliance carries direct financial and operational consequences.
Why DPDP Act 2023 matters for your GCC
DPDP Act materially expands compliance obligations for any GCC handling personal data of Indian residents, including employee data (HR systems), customer data (where GCC supports India-facing services), and beneficiary data (healthcare, financial services). The penalty regime (up to INR 250 crore per instance) is one of the highest in Indian commercial law, comparable to GDPR penalty structures. GCCs that previously relied on internal data handling policies must now establish formal DPDP compliance programmes with documented consent flows, breach response procedures, and Data Protection Officer appointments.
The 4 ways DPDP Act 2023 goes wrong
Real scenarios from real GCC compliance audits. Each one preventable.
Trap 01
Assuming DPDP applies only to consumer-facing data; the Act covers all personal data processing including employee HR data, vendor data, and contractor data
Trap 02
Relying on parent-company GDPR programmes without local DPDP gap analysis; the two regimes overlap but are not identical
Trap 03
Failing to identify the entity as a Significant Data Fiduciary when processing meets prescribed thresholds, missing DPO appointment and DPIA obligations
Trap 04
Treating consent as a one-time activity; DPDP requires withdrawal mechanisms and ongoing consent management
Done for you
Compliance Management Service
irpr.network conducts DPDP gap assessment for your GCC, drafts consent notices and processing policies, sets up Data Protection Officer engagement where required, and implements breach response and DPIA workflows.
Our workflow
- 01Identify the trigger event in your GCC operations
- 02Prepare and validate the DPDP Act 2023 filing or compliance step
- 03Submit to the regulator and obtain acknowledgement
- 04Track in your compliance calendar for ongoing or recurring obligations
Concepts connected to DPDP Act 2023
These terms are filed together, depend on each other, or share regulatory authority.
Asked about DPDP Act 2023
4 specific questions that GCC operators ask most often, answered with citations to the relevant regulations.
Need help with DPDP Act 2023?
IRPR Network manages DPDP Act 2023 as part of Compliance Management Service, with a zero-penalty guarantee.
Explore the serviceQ01Does the DPDP Act apply to a GCC that only handles employee data, not customer data?
+
Yes. DPDP applies to all processing of personal data of Indian residents, including employee HR data, vendor contact data, and contractor data. The Act does not distinguish between consumer-facing data and internal operational data. Indian GCCs must apply DPDP obligations to their entire personal data ecosystem.
Q02What is a Significant Data Fiduciary under DPDP and how is it determined?
+
A Significant Data Fiduciary (SDF) is a category of Data Fiduciary that processes personal data at a scale or sensitivity meeting thresholds notified by the Central Government. SDFs face additional obligations including mandatory appointment of a Data Protection Officer, conducting Data Protection Impact Assessments for high-risk processing, and engaging an Independent Data Auditor. The thresholds are being clarified through DPDP Rules.
Q03Can a GCC transfer personal data of Indian residents to its foreign parent for processing?
+
Yes, subject to the Central Government not having notified the parent's country as a restricted jurisdiction. The DPDP Act adopts a permissive cross-border transfer framework: transfers are allowed by default to all countries except those specifically restricted. This is more permissive than GDPR's adequacy decision framework.
Q04What is the penalty for non-compliance with DPDP?
+
Penalties are tiered up to INR 250 crore per instance, imposed by the Data Protection Board after inquiry. Specific penalties include INR 250 crore for failure to take reasonable security safeguards, INR 200 crore for breach of children's data obligations, and INR 150 crore for Significant Data Fiduciary obligation breaches. The DPDP Act is among the most stringent penalty regimes in Indian commercial law.
Handle DPDP Act 2023 the right way, the first time.
Book a 30-minute consultation. We will map your DPDP Act 2023 obligations alongside every other India compliance for your GCC, on one calendar, one retainer.
Book a consultation